Failed Silent authentication on Auth0 after PHP SDK update

it-magento · January 21, 2022, 1:59pm

I have two systems, an e-commerce and another web application that is used to customize the e-commerce product. The user logs into the e-commerce, chooses a product, and goes to the second system. We are using the universal login to authenticate the user, the first step is on the e-commerce and the second one is just to validate if the user is still authenticated, it uses the auth0 silent authentication and works properly.
Due to some internal changes, we decided to create our own login page and use the PHP SDK to do the integration.
The e-commerce is using the SDK in its latest version available here: auth0-PHP/README.md at main · auth0/auth0-PHP · GitHub
The second system is still using the angular version available here: @auth0/auth0-angular - npm

After that change, I can log in and log out from Auth0 using email and password, I can see the log on my dashboard everything looks okay. However, when I try to go to the second system, it is not working, the silent authentication returns an error, the log description shows Login required and the type is Failed Silent Auth

On the PHP side, I am able to receive the token and all the user information, if I check if the user is authenticated following the documentation approach: auth0-PHP/README.md at main · auth0/auth0-PHP · GitHub

$session = $auth0->getCredentials();

if ($session !== null) {
    // The user is signed in.
}

It is not null, I have all the information.

To do the login, I am using:

$auth0->authentication()->login($email, $password, $realm);

It performs authentication successfully.

The SdkConfiguration has all the required information such as domain, clientId, clientSecret, audience, scope, etc.

Is there something missing to allow silent authentication on the second system to work? There was no change in the second system.

Version: Angular - @auth0/auth0-angular - v1.3.1
PHP - SDK - v7.4 - Universal Login working
PHP - SDK 8.0 - - Custom Login not working

evansims · January 25, 2022, 7:51pm

Hey @it-magento A lot of factors at play here, but can I ask what you have your Auth0 Client application type set as? Off the cuff, the first issue I foresee here is the PHP framework must be registered as a regular web application to function properly, but the Angular SDK functions strictly as a Single Page Application. Even if we finagled a way for them to work reliably together in this manner, because these two SDKs use different approaches to their internal/local session management, they will eventually be out of sync and unreliable as to the authentication state of the user.

An ideal approach to this would be to use the Angular frontend SDK to handle authentication entirely, and simply authorize requests to the PHP backend using an access token generated by Angular. I don’t have an example of this for Angular specifically offhand, but the PHP backend API example demonstrates a form of this using the SPA SDK (which Angular it built on) GitHub - auth0-samples/auth0-php-api-samples: Auth0 Integration Samples for PHP REST API Services

I realize this might not be an ideal configuration for your current application arrangement, but it would be much more reliable, and easier to implement really.

it-magento · January 25, 2022, 8:17pm

Hello @evansims thank you for your answer.

So, the PHP application is a Magento e-commerce, on Auth0 it was defined as a Regular Web Application, the authentication must be at the first moment on the Magento side, the application that uses the Angular module is called after authentication on Magento. It means, I have 2 different projects running with different technologies and due to some internal necessity, I would like to create my own login page instead of continuing using the universal login. Following the doc, on the Magento app, the login app calls the PHP SDK passing the login and password, it internally does the authentication and returns what we need on Magento side to authenticate an user. The current problem, as described, is when I go to the second system that has its own URL and so on. I am not sure if I understand your recommendation

evansims · January 25, 2022, 8:53pm

Hey @it-magento Gotcha, I read those systems backwards in my head somehow, sorry! So, you’re authenticating via a PHP app and attempting to silent-auth in Angular after the fact.

The login_required error is most often thrown with SPA SDKs due to third-party cookie requests being blocked by a host browser; what browser and browser version are you using? Are there any signs of blocked requests in the developer tools log of your browser? Have you tried in a different browser?

it-magento · January 25, 2022, 9:05pm

Hey, @evansims , I’ve tried with different browsers and OS as well. The last one is:

Firefox 96.0.2 (64-bit) on MacOS Big Sur.

No blockers were reported. The result was the same in all of them.

On this link: Auth0 Angular works with universal Auth0 login but doesn't work with PHP SDK 8.0 - #2 by guilherme_bmq you will see the second system error. This person works with me on this functionality, he is responsible for the second system

evansims · January 25, 2022, 9:18pm

Would you mind sharing a code snippet containing how you’re initializing/configuring the Angular SDK? What options you’re passing to it, I mean? With any sensitive data obscured, of course. Maybe something will stand out.

it-magento · January 26, 2022, 12:50pm

No problem @evansims, this is the initializing/configuring of the Angular SDK. Please, find attached the file.
auth0 angular - new.txt (2.7 KB)

I can involve the person responsible for that part of the system here if I need to.

it-magento · January 28, 2022, 12:10pm

Is it okay @evansims ?

it-magento · February 2, 2022, 1:55pm

Is there anyone else to help us with that?