I think you’re right. Your session issues have nothing to do with the fact that your social connections are using dev keys. Only if you were using one of those social connections in the account linking process (as per your example in your original post) would there be a possible impact to the Auth0 session. So I think there’s something else going on here…
Can you check to see if the code in your application that’s performing the refresh of the tokens (which relies on the Auth0 session) is using a specific connection - perhaps even the database connection that the user signed in with when they first launch your SPA?
If so, then here’s what’s happening:
Today, an Auth0 session is essentially bound to a single connection. If you perform another authorization flow and specifically request a different connection than the one the user authenticated with to create the current session, Auth0 is going to prompt the user for authentication. In your use case, this is happening two different ways:
- When you want it to, which is when you perform the link to your custom social provider. Here you’re intentionally passing a
connection parameter that points to the name of your custom social connection. Auth0 has an existing session, but because you’re using
connection it ignores that and attempts authentication against the alternative connection. In the case of your custom social provider, it satisfies this request by redirecting to that provider’s authorization endpoint, which (unless you already have a session there), will most likely send you to their login page. When this authorization flow completes, Auth0 then replaces your old session with a new one (by setting a new cookie) that’s now bound to the connection of the custom social provider.
- Some time later, when your SPA decides to refresh its session, (my theory is) you’re passing
connection again, but this time with the original connection name, which of course is different from the custom social provider. Again, Auth0 needs to satisfy this request and prompt the user for authentication. And since this is a database connection, it sends them to the login page.
I hope I’m on the right track. Please confirm if you can.