My SPA application getAccessTokenSilently calls brings me to login page

Hey guys.
I have been on this issue for like 2 weeks and can’t get my head around this. Hence, posting here for some expert opinion.
So the scenario is that I would like my users to log in to my application by custom login flow. For this I am calling this api with this payload.

const data = {
			method: 'POST',
			url: 'https://XXX/oauth/token',
			headers: { 'content-type': 'application/json' },
			data: new URLSearchParams({
				grant_type: 'password',
				username: email,
				password: password,
				audience: XXX',
				scope: 'openid profile email read:users update:users create:users create:connections',
				client_id: AUTH0_CLIENT_ID,
			}),
		};

Since my application is SPA so in return I get a response like this.
{"access_token":"token","id_token":"token","scope":"openid profile email","expires_in":86400,"token_type":"Bearer"}

After when I redirect my application to home page which is wrapped in an auth HOC it redirects me to login page of auth0. This is what I am getting on logs.

image1044×269 20.6 KB

I would appreciate any help on this please.

Hi @bilal,

Assuming you are getting management API tokens here, you are opening your Auth0 instance up to tampering with this flow.

A user could easily grab the access token and read/update your entire user database.

The resource owner password flow is easily misused and is not recommend unless you are fully aware of the risks.

Silent auth relies on an existing session to authenticate. This is usually in the form of an Auth0 Cookie. You can look at the request to see if the correct cookie is attached to the request.

Hey @dan.woda . Thank you for the detail clarification. And yes, you are right, doing things like this has a great chance of exposing my application to intruders.

I’ll try to think something else

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.