Failed silent Authentication - Login Required

Hi,

I am developing single page application in reactjs. We are registering user with username/password given by Auth0 login page. But when we make silent token authentication it throws “Login Required”. I am not sure where i am missing. When i look the logs i get below error log. But this works for old application deployed an year ago.
Type: Failed Silent Auth
{
“date”: “2020-07-28T13:45:29.244Z”,
“type”: “fsa”,
“description”: “Login required”,
“client_id”: “",
“client_name”: “Test”,
“ip”: “49.37.194.199”,
“user_agent”: “Chrome 84.0.4147 / Windows 8.1.0.0”,
“details”: {
“body”: {},
“qs”: {
“client_id”: "",
“response_type”: “token id_token”,
“redirect_uri”: “https://test.com/callback”,
“scope”: “openid”,
“audience”: "",
“state”: “fcrO3gRM9GTMA77SLtIBi~PS4OuuQVRO”,
“nonce”: “OOfAPLPOzBVhoe9M~vVOwx-4PUZhL9gf”,
“response_mode”: “web_message”,
“prompt”: “none”,
“auth0Client”: "*”
},
“connection”: null,
“error”: {
“message”: “Login required”,
“oauthError”: “login_required”,
“type”: “oauth-authorization”
}
},
“hostname”: “",
“audience”: "”,
“scope”: [
“openid”
],
“auth0_client”: {
“name”: “auth0.js”,
“version”: “9.13.4”
},
“log_id”: “90020200728134529857000203722690658044812580908754272290”,
“_id”: “90020200728134529857000203722690658044812580908754272290”,
“isMobile”: false
}

My code for renewal:
webAuth.checkSession({}, (err, authResult) => {
if (err) {
console.log(err);
return false;
}
if (!authResult || !authResult.idToken) {
console.log(“No response during renewal”);
return false;
}
this.setRenewedSession(authResult);
});

Hi @sushanthchandrasekar,

Welcome to the Community!

This error can happen when the auth0 cookies are not be sent correctly or are being blocked by ITP, or some sort of extension. Have you tried an incognito window? Or any other browsers?

Hi Dan,

Thanks for the reply.

“A cookie associated with a cross-site resource at https://test.eu.auth0.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at Chrome Platform Status and https://www.chromestatus.com/feature/5633521622188032.” in chrome incognito

We have found the issue due to sameSite cookie value in incognito window. However, as of now it is working in normal window but not in private or incognito window. Below is error thrown during renewal call:

code: “login_required”
description: “Login required”
error: “login_required”
error_description: “Login required”

Is there any way to handle such cookies in incognito window too?

Hi @sushanthchandrasekar,

Can you DM me a HAR file of the transaction?

Generate and Analyze HAR Files

@dan.woda Was there any progress in this? I’m finding the same behaviour where check checkSession returns login_required every time when in incognito mode. It works as expected in non-incognito mode.

Hi @helen.humphrey,

Sorry for the delayed response. I was OOF last week.

I never got a HAR file and was unable to investigate further. If you can DM me one I would be happy to take a look!

@dan.woda Sorry for delay. Attached 3 har files - authorize(2 files) , user call(1fileauthorize.har (91.9 KB) authorize-2.har (91.9 KB) bookmarkreading-dev.azureedge.net.har (91.9 KB) )

It looks like they are missing the auth0 cookies…well from the one transaction.

All three uploads you shared are of authorize-2.har. @sushanthchandrasekar

There should be an auth0 cookie in here.

Is it possible you are blocking cookies in some way? Privacy extensions?

By default chrome blocks cross domain cookies in incognito window.
Google Chrome - Version 84.0.4147.135 (Official Build) (64-bit) Windows 8

auth02592×1812 190 KB

@dan.woda I’m assuming there isn’t much that can be done if Auth0 rely on the cookies existence and chrome blocks those by default in incognito mode?

If I am not mistaken, this is referring to the existing cookies from your non-incognito session being used in an incognito session. Once you log in to an incognito window, the cookie should be set and silent auth should function correctly on a page refresh or call for an access token. I just tested it and can confirm it is working on my end.

Are you trying to do a silent auth in an incognito window using the cookie from a normal browsing session? If so, that will not work.

Hi there, I just noticed this as well. Everything is working fine with the checkSession call when not in incognito mode, but when in incognito mode, it throws this login_required error. How do we fix this in incognito mode? We have no special settings to turn off cookies or anything…

@dan.woda I am not switching cookies between incognito and non-incognito window during accessing applications.

As Lance said, when i do silent auth in incognito window, I am getting login_required error for checkSession method. I don’t know this is feasible answer, just my suggestion. Can we switch to some other storage like browser sessions or local storage instead of cookies?

@sushanthchandrasekar,

You can implement refresh token rotation and store them in localstorage, that should solve the cookie issue:

@dan.woda
Thanks for the solution. From your solution, I understand that storage location need to be changed to localstorage in order to access in incognito window but there is chance of XSS attack in SPA in such cases, so we need to implement Rotating token.

That is correct, we recommend using refresh token rotation. If you want to know more about how it works, I will list a few resources that explain the process. For the most part, it will be handled by the SDK and you only need to make the minor configuration changes.

Using refresh token rotation

Hope this helps,
Dan

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.