Login with different Auth0 account

With auth0-spa-js when I use a different account and I change my domain, client_id and audience I cannot log in. After entering a valid username and password in the login box I get the following error messages:


In the logs I get a ‘Failed Exchange’ error message but also a Success Login message.

Can you please help?

The information available is insufficient to provide a definitive answer, however, if this only fails for a specific tenant/domain and not the other it would be relevant to check if any tenant specific configuration could be the culprit.

For example, one tenant may have enabled custom rules that are leading to the error while on the other tenant there are no custom rules or they are different.

The ideal information to have to troubleshoot such situation would be an HTTP trace (HAR) of both login attempts (the one that succeeds and the one that fails). However, HTTP traces will capture sensitive information so you should only share those in public forums after you have ensured that you redacted any information you deemed sensitive like passwords, cookies, etc.

Successful setup gives:


The failing one gives:


The domain I have setup on auth0 is nmm-iw.eu.auth0.com which appears to be correct but is coming through as unauthorised.

The failing setup is on a free account at the moment so is not using custom domains.

Thanks for any help you can give.

The reason for the error which is a 401 in the token endpoint is because the client application in the other tenant is configured to require a client authentication. Given this application seems to be a browser-based application it would need to have Token Endpoint Authentication Method set to None because it will not be able to send the client secret.

If the application type is currently set to Spa you may not be able to change Token Endpoint Authentication Method from the dashboard so the recommendation would be to change the Application Type to be a regular web application and then back to a Spa. The important thing is to ensure that if your application is a public client (won’t be able to securely use a client secret) the Token Endpoint Authentication Method will need to be None.

2 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.