Auth0 Home Blog Docs

Login_required when checkSession

auth0js

#1

I am trying to renew the token due to the idle of the user using the silent renew method. When the user just log in the renew process seems to work fine but just when the checkSession method is triggered, the response is always login_required. I am using OIDC to log the user. The callback is in the allowed callbacks and the only logs I have are the same “login_required”. The third party cookies are also available.


#2

Hey onroute! I’d be happy to offer some assistance if I can. Could you post the code? And the error from Auth0 logs would be helpful too. I’ve used the checkSession method with both auth0-js and auth0-lock and haven’t encountered this issue.

My javascript code looks something like this:

this.lock.checkSession({}, (err, authResult) => {
   if(err) {
      console.log(err);
   } else {
      const expiresAt = JSON.stringify((authResult.expiresIn * 1000) + new Date().getTime());
      localStorage.setItem('access_token', authResult.accessToken);
      localStorage.setItem(expires_at);
   }
});

#3

Thanks Royce,
The error happens just after the user log in correctly. I get a timeout in my application and in the log from Auth0 only said “login_required”.

Strange thing is, I decided to create another tenant and in that one I can renew the token, but still have a timeout in the front end application. So, I can’t renew the token in the session storage.

Code looks like this:

const webAuth = new auth0.WebAuth({
  clientID: 'MY_CLIENT_ID',
  domain: 'MY_AUTH_DOMAIN',
  redirectUri: 'CALLBACK_URL',
  responseType: 'token id_token',
  scope: "openid profile read"
});

webAuth.checkSession({}, function (err, authResult) {
    if(err) {
        console.log(err);
    }else {
        //Some action
    }
});

#4

Hmm…are you using this JWT to access an API? If so, you need to specify your audience in the webAuth options. You may also want to check the settings for your API. Maybe you changed the token expiration time at some point? Sorry if that seems basic – I’m not exactly familiar with your setup.

When you say you have a timeout, do you mean that a user will (1) successfully login, (2) use the app for some small amount of time, and (3) be logged out instead of going through silent authentication? In your auth0 logs, do you ever see something like “Success Silent Auth” or “Failed Silent Auth”?

The fact that your other tenant has dissimilar behavior suggests to me that it might be something with your settings in Auth0 (which is always a pain, because it’s tough to know when and how you changed things over time). You might want to take a look there and just double check that the callbacks are correct – that’s usually where I start.

Of course, it could also be something simple in your code like you accidentally call the logout endpoint and end the session at auth0, remove the accessToken from local/session storage, or some such thing. If your github repo is public, I’d be happy to take a look and see if anything jumps out at me.


#5

Ok, so there are some things that I have done. I do change a few times the token expiration and the session time. We do check the JWT in our servers and defining the audience seems to work in the same way.
What we want to achieve is logout the user base on its inactivity, which we define in our business by a period of idle time of 30 minutes where the user has not done any kind of request. If the user is requesting data we do the silent authentication and renew the token. The inactivity session time is also defined on our tenant settings.