Hi, let me try to provide more insights here:
Could you let me know if you are enforcing mfa by any chance in your application?
I do not see any code / configurations that does this
Does your application use refresh tokens/refresh token rotation?
yes
What is the expiration of your tokens set to?
ID Token Expiration: 36000s
Set Idle Refresh Token Lifetime - enabled
Idle Refresh Token Lifetime - 1296000s
Set Maximum Refresh Token Lifetime - 2592000s
Allow Refresh Token Rotation - disabled
Where do you store the session of the user? Do you clear it or the cache set?
the JWT token is stored in local storage with key ‘CLIENT_JWT’
Do any of your functions like isAuthenticated() or checkSession() return false and prompt the user to log in?
not sure how to answer this
Here should be all of the specific configuration parts:
<Auth0Provider
domain={process.env.REACT_APP_AUTH_DOMAIN}
clientId={process.env.REACT_APP_AUTH_CLIENT_ID}
redirectUri={`${window.location.origin}/home`}
audience={audience}
scope={requestedScopes.join(" ")}
useRefreshTokens
cacheLocation="localstorage"
onRedirectCallback={redirectCallBack}
>
const requestedScopes = [
"read:users",
"read:user",
"edit:user",
"read:current_user",
"openid",
"offline_access",
"enroll",
];
import { useAuth0 } from "@auth0/auth0-react";
useAuth0()
localStorage.getItem(CLIENT_JWT) // token stored here
// In Axios interceptor:
const token = isAuthenticated ? await getAccessTokenSilently() : "";
const oldToken = localStorage.getItem(CLIENT_JWT);
if (token && oldToken !== token) {
const tokenType = oldToken == null ? "ACCESS" : "REFRESH";
localStorage.setItem(CLIENT_JWT, token);
const event = new StorageEvent("storage", {
key: CLIENT_JWT,
newValue: token,
oldValue: oldToken,
storageArea: localStorage,
url: window.location.href,
});
window.dispatchEvent(event);
}
// Logout:
logout({ returnTo: returnTo });
localStorage.removeItem(CLIENT_JWT);
Thank you for looking into this case, hope this will help to understand the scenario