iOS refresh/auth loop on Safari

argo · June 5, 2023, 5:58am

I am referencing this issue specifically.

github.com/auth0/auth0-angular

Authentication struggles on iOS

opened 10:38PM - 12 Jan 23 UTC

closed 02:27PM - 25 Jan 23 UTC

davidobrien1985

bug report

I am using auth0 free plan (for now). I have an Angular SPA which is already us…ing auth0 successfully, everywhere except on Apple devices. On Chrome, Edge, all is well, on iOS I get weirdness. I use `'@auth0/auth0-angular'` in my app. In app.module.ts I initiate the client like so: ``` AuthModule.forRoot({ ...env.auth, useRefreshTokens: true, cacheLocation: 'localstorage', scope: 'openid email profile', httpInterceptor: { allowedList: [`*`], }, }), ``` I first noticed issues when a dropdown menu on the first page (after login) didn’t populate with values from our backend APIs (other pages, without dropdowns are fine though). Then, when users refresh the page they end up in a login loop. The page has lost the state it seems and thinks the user is not logged in, says they should log in (doesn’t redirect to auth0 anymore though) and just stops working. In `home.component.ts`: We use `isAuthenticated$ = this.authService.isAuthenticated$` from `import { AuthService } from '@auth0/auth0-angular';`. In `home.component.html`: ``` <ng-template #unAuthenticated> <h2>Please log in from the menu.</h2> </ng-template> <div class="container" *ngIf="isAuthenticated$ | async; else unAuthenticated"> <div class="row"> ``` Again, this works as we expect everywhere, except Apple. What are we missing here? Thanks for your help! David

For us, the same redirect loop seems to be happening without using a specific sdk, as we issue direct API requests of the form:

const options: AxiosRequestConfig = {
      method: 'POST',
      url: `${process.env.AUTH0_ENV}/passwordless/start`,
      headers: { 'content-type': 'application/json' },
      data: payload,
    }

I do not experience this issue myself, and am not certain how to reproduce it. Happy to have an iOS device made available to me by a friend to take a closer look, however what we do have is a Sentry integration that surfaces this error relatively frequently.

We’ve seen it in prod 34 times over the past 30 days. The situation for us is that the user is bounced back and forth between authed and de-authed states, until it causes:

SecurityError
Attempt to use history.replaceState() more than 100 times per 30 seconds

Mobile Safari
Version: 16.5

iOS
Version: 16.5

iPhone
Model: iPhone

I do not currently have source mappings or correlated errors, however, I thought it could be useful to start the discussion based on other adjacent issues of the same type, ie.

https://community.auth0.com/t/authentication-struggles-on-ios/98039/8

I am uncertain where to raise an issue for this specific matter. That said, we are in the process of releasing an updated integration that contains source maps, and can hopefully help us to pinpoint the error and context specifically.

Thank you for your help with this matter.