I’m trying to understand what I am doing wrong here… I have a svelte SPA with “@auth0/auth0-spa-js”: “^2.1.3”.
I created a js with all the loginWithPopup and logout functions that I intend to use.
When I run my code on a chrome incognito window, it works without an issue, but if I run it from a regular Chrome window I get the error:
Login popup error: _u: The client_secret or client_assertion field is required, or it should be mTLS request.
at _u.fromPayload (http://localhost:5173/node_modules/.vite/deps/@auth0_auth0-spa-js.js?v=470c0c0a:322:12)
at o3 (http://localhost:5173/node_modules/.vite/deps/@auth0_auth0-spa-js.js?v=470c0c0a:795:156)
loginWithPopup @ authService.js:199
await in loginWithPopup
apply @ events.js:330
MetaDashboard.button.__click @ MetaDashboard.svelte:21
handle_event_propagation @ events.js:253Understand this error
authService.js:200 Uncaught (in promise) _u: The client_secret or client_assertion field is required, or it should be mTLS request.
at _u.fromPayload (http://localhost:5173/node_modules/.vite/deps/@auth0_auth0-spa-js.js?v=470c0c0a:322:12)
at o3 (http://localhost:5173/node_modules/.vite/deps/@auth0_auth0-spa-js.js?v=470c0c0a:795:156)
It comes from:
async function loginWithPopup(options = {}) {
const client = await getClient();
if (!client) throw new Error('Auth client not available');
try {
const config = getClientConfig();
await client.loginWithPopup({
...config.authorizationParams,
...options
});
await refreshUserSession();
return true;
} catch (error) {
if (error.message === 'Popup closed') {
// User closed popup - not really an error
return false;
}
console.error('Login popup error:', error);
throw error;
}
}
I’m creating the client with:
async function getClient() {
if (auth0Client) return auth0Client;
if (!browser) return null;
try {
const config = getClientConfig();
if (!config) throw new Error('Failed to get client configuration');
auth0Client = await createAuth0Client(config);
return auth0Client;
} catch (error) {
console.error('Failed to create Auth0 client:', error);
throw error;
}
}
Your configuration indeed appears to be correct and it should be working without any issues in both instances of Chrome.
Have you tried any other browser in which you have experienced the same error?
Otherwise, can you check out this Blog Post and try out the Github repository posted at the end and let me know if you experience the same issue there?
Thanks for your response, we used that blog post for “inspiration”!
I have tried the same code using Chrome (regular + incognigo) and Firerox (regular + incognito)
I can see this on my Auth0 logs:
Timestamp
Type
Description
Connection
Application
Occurred
2025-06-23T18:50:05.756Z
Success Exchange
Authorization Code for Access Token
N/A
SumentsSPA
6 minutes ago
2025-06-23T18:50:05.583Z
Success Login
Successful login
N/A
SumentsSPA
6 minutes ago
2025-06-23T18:50:05.019Z
Success Exchange
Authorization Code for Access Token
N/A
SumentsSPA
6 minutes ago
2025-06-23T18:50:04.803Z
Success Silent Auth
Successful silent authentication
N/A
SumentsSPA
6 minutes ago
2025-06-23T18:49:53.169Z
Actions Execution Failed
Execution of an Action failed
Username-Password-Authentication
SumentsSPA
6 minutes ago
2025-06-23T18:49:52.175Z
Failed Login
The client_secret or client_assertion field is required, or it should be mTLS request.
N/A
SumentsSPA
6 minutes ago
What is funny, is that is the same code with the same configuration being executed…
I noted also that it started to fail after I tried to “sign in” using the popup… what makes me think there is some sort of information stored somewhere, then it is picked up by the popup and sent as I can see from the failed records…
I have tried to set cacheLocation: 'localstorage', // Use memory instead of localstorage to avoid cache issues
to both values and removed all application data from the developer tools and I have also disabled the use of getTokenSilently…
Just to confirm, only the default Chrome window throws that error, right?
It indeed appears to be some kind of caching issue regarding chrome, however, in order for me to take a closer look, do you mind sharing the repository via DM so I can test things out on my end?
I have not seen any option to send a DM. Anyway, and i can’t add a link here…
If you go to github to:
github.com/JavierMoncayo/auth0-issue
I have used the same implementation as we use when I noticed this behaviour. The repo contains the default app created by svelte with the Auth0 client from the github repo 2.2.0.
When I run this new app, on the same browser that fails using our main app, the auth0 client sends the same dummy user to the endpoint for auth showin the same error, if I run both apps on a browser that has never seen the issue, then it works as expected.
How to replicate it?
Use loginwith Popup button, and try to sign-in. That will probably fail (that is what I was trying to debug originally), after that first fail, when you try to re-open the popup, you always see the error mentioned before.
Thanks for providing me that link! It was sufficient in order to carry out the tests.
Unfortunately, I was not able to replicate the issue on my end, I tested using both Google and Firefox and incognito windows. I was able to authenticate without any issues using both Popup and Redirect and the user would be authenticated accordingly.
As I have mentioned above, this appears to be some kind of caching issue on the web browser on which you are conducting your tests. I would recommend to see if the issue persists on a different device/machine as well. I am not sure what might be causing this issue, I would recommend to open a Github Issue on the SPAJS page to have further investigation conducted.
If I can help you out with any other questions, let me know!
