Get new access token from auth0-spa-js

In my application that uses auth0-spa-js and Universal Login, I have the following workflow for new user signup:

  1. User signs up using Universal login.
  2. In my Angular + Spring Boot application, after having signed up, they can choose their business role (which have corresponding Auth0 roles) - this role is then added to the Auth0 user using the Management API.
  3. I have set up permissions associated with the Auth0 user roles, and am filtering access in Spring Boot based on these permissions.
  4. I have set up the corresponding API in Auth0 to include the permissions in the Access Token like so:

The problem is that the current user that has already logged in has an old Access Token, before the roles were added, and so has Authorisation issues when hitting the Spring Boot API. If they log out and log back in, everything is fine, but I am looking for a way to get an up-to-date Access Token silently for an already logged-in user.

I have tried calling getTokenSilently({ ignoreCache: true }) from auth0-spa-js, but that gives me the following error:

{error: "login_required", error_description: "Login required", state: "M0xGN3RwUkxIOWxiRm9DODNQN2laR2M5aEZOUVh1UzJmZU1KQjZzczl1cg=="}

Any help appreciated.

1 Like

Hello @andkov and thanks for reaching out!

Can you let me know if you have Allow Skipping User Consent enabled in your API settings in the Dashboard? More details on that can be found in this doc:

This error is often caused by an issue with third party cookies being blocked, causing silent authentication to be blocked.

A few things you can do to debug:

  • Try this in a different browser (safari often has this issue)
  • Try an incognito/private window to determine if it is another cookie conflicting with the issue
  • Do a getTokenSilently() request without your params to ensure this isn’t a problem with your audience/claims

Let us know what you find out!

Best,
Colin

Hi Colin, thanks for your reply.

Yes, I do have the “Allow Skipping User Consent” enabled for the API.
And yes, I did have a look at this discussion before posting:

The original problem was in Chrome. I’ve tried the same scenario in Chrome Incognito and Firefox Private windows, same exact result.

I also tried getTokenSilently() without the ignoreCache parameter, but that just returns the current token (without the roles/permissions) successfully.

For some context, there is another issue that probably has the same root cause as this, but I am not sure how to determine what this root cause is. When doing local development on localhost, refreshing the page always causes a re-login.

This seems to be because auth0Client.isAuthenticated() always returns false on page refresh. It happens in Incognito mode as well. This behaviour does not seem to happen on the test environment that is deployed to a real domain. There, the auth0Client.isAuthenticated() returns true on refresh.

I cannot seem to find any difference between the two Auth0 tenants besides the fact one has localhost and the other one doesn’t. Both tenants also use custom domains.

I suspect my original issue would work on this test environment, but would like to solve it for local anyway.

Any pointers to how to proceed?

OK, figured it out. It is the cookies issue after all (perhaps combined with using localhost, seeing as it worked from the same browsers on the domain environment) - in Chrome, I had to go to chrome://settings/content/cookies and make sure that “Block third-party cookies” is disabled. (similar for Firefox)

Apologies for the confusion.

1 Like

No worries! Glad you have figured it out eventually!

This topic was automatically closed after 4 days. New replies are no longer allowed.