I’m using auth0-react 1.9.0
In my main index.js I have:
Additionally, I have a script in App.js that runs getAccessTokenSilently when the app first loads.
const getToken = async () => {
try {
await getAccessTokenSilently()
} catch (e) {
console.log(e)
}
}
useEffect(() => {
getToken()
}, [])
My login button is using onClick={() => loginWithPopup()} which I understand uses HTML5 web messaging.
My logout button is running with onClick={() => logout({ localOnly: true })} because I’m running in a chrome extension that might be running on any page domain, so I cannot do a sensible redirect. It’s also important for the user flow that they can stay on their current page.
Problem:
When I logout and refresh the page, getAccessTokenSilently gets a new token and logs me back in.
How?! I can see that the localstorage (but not cookies) are cleared by logout(), but even when I delete the cookies manually, a refresh still causes getAccessTokenSilently to function. Where is any user information being stored?
Also note:
- If I comment out getAccessTokenSilently, then it does not get logged back in.
- If I do this in incognito mode, then it does not get logged back in.
Of course I can simply remove getAccessTokenSilently from firing immediately, but I want to understand how getAccessTokenSilently is even working at all, as it seems like a security risk.