getAccessTokenSilently results in a 403 when ignoreCache is set to true

franz.salvador · August 31, 2022, 8:18pm

Please include the following information in your post:

Which SDK this is regarding: Auth 0 React
SDK Version: 1.10.20
Platform Version: Windows 11
403 Error

In an effort to force reissue an access token, I have set ignoreCache to true. I am using refresh tokens and also set my cache location to local storage. The reason I am attempting to force reissue a refresh token is because I would like to refresh the access token before it actually expires. Is the issue caused by setting ignoreCache to true? Thanks in advance for any help.

dan.woda · August 31, 2022, 11:14pm

Hi @franz.salvador,

Welcome to the Auth0 Community!

Can you please share the entire error? There should be more information to help you understand what is going wrong.

franz.salvador · September 1, 2022, 1:06am

Hi Dan,

Here is the error.
err = Error: Multifactor authentication required at new OAuthError
Can this be related to setting the cacheLocation to “local storage”, then setting the ignoreCache option to true when calling getTokenSilently?

If I set the ignoreCache option to false, it works perfectly.

dan.woda · September 1, 2022, 3:25pm

This error suggests the user must authenticate with their MFA to obtain a token. It isn’t possible to get a token silently when it requires user interaction (MFA).

Setting ignoreCache to true means that the SDK must reach out to Auth0 for a new token, and can’t used a token that already exists in the cache.

Here’s a thread on how you can handle this situation:

franz.salvador · September 1, 2022, 5:56pm

I see. Thanks for your help Dan!

franz.salvador · September 1, 2022, 6:14pm

So just to confirm, there is no way to get the token silently when MFA is enabled? MFA is one of our requirements. When I initially login it works. When I try to get a new access token, that’s when I receive an error. Thanks again for your help.

franz.salvador · September 1, 2022, 8:18pm

I saw the post about setting up a rule for MFA to occur only once per session. I’ll try and implement now. Disregard last post.

dan.woda · September 1, 2022, 8:33pm

Sounds good, let us know what you find.

franz.salvador · September 2, 2022, 6:37pm

Works like a charm. The only issue that needed to be addressed is detecting if the client is calling getTokenSilently and has a refresh token. In order to check this, we needed to check context.protocol. If refresh token is used, bypass mfa athentication since the refresh token has been granted. We are running node 12 so code may seem a bit outdated.

  const requiresMfa = function (context, user) {
    const refreshTokenProtocol = 'oauth2-refresh-token';
    const isRefreshTokenProtocol = context.protocol === refreshTokenProtocol;

    let authMethods = [];
    if (context.authentication && Array.isArray(context.authentication.methods)) {
      authMethods = context.authentication.methods;
    }
    const isMFAAuthenticated = Boolean(authMethods.find(method => method.name === 'mfa'));

    if (isRefreshTokenProtocol || isMFAAuthenticated) {
      return false;
    }
    return true;
  };

dan.woda · September 2, 2022, 9:15pm

Perfect. Thanks for the explainer and code sample

Topic		Replies	Views
Workaround for MFA error when using getAccessTokenSilently with React Help auth0-react , sdks-quickstarts	3	1930	April 26, 2023
getAccessTokenSilently with ignoreCache still giving me old token Help configuration , application	5	1273	November 15, 2023
Multifactor authentication with rotating refresh Help mfa , refresh-tokens , auth0-spa-js	7	3993	April 21, 2022
Failed Silent Auth. Multifactor authentication required error Help auth0 , rules , multi-factor , mfa-email	6	8069	August 27, 2020
Unable to renew token when MFA is enabled Help mfa , silent-authenticatio	15	7406	March 24, 2022

getAccessTokenSilently results in a 403 when ignoreCache is set to true

Related topics