Auth0 Home Blog Docs

Odd problem with checkSession / silent auth

jwt
silent-authenticatio

#1

Hey, I try to keep it short.

I have a weird problem with checkSession. So I have a SPA. Nothing special, I check if the access_token is expired and attempt a silent auth via checkSession.

auth.checkSession({
  responseType: 'token id_token',
  audience: AUDIENCE,
  scope: SCOPE,
  redirectUri: REDIRECT
}, (err, authResult) => {
  console.log('AuthResult', err, authResult);
  if (err) {
    logout(true);
  } else {
    setAccessToken(authResult.accessToken);
    setIdToken(authResult.idToken);
    setExpiresAt(authResult.expiresIn);
    setRenewalTimeout();
    if (cb) {
      auth.client.userInfo(authResult.accessToken, (err, profile) => {
        cb(err, profile);
      });
    }
  }
});

This works. I get the new access_token and the call to the userinfo endpoint also works.
Now we come to the problem:
The same access_token sometimes won’t work serverside directly after the checkSession.

const authCheck = jwt({
  secret: jwks.expressJwtSecret({
    cache: true,
    rateLimit: true,
    jwksRequestsPerMinute: 10,
    jwksUri: '*url*'
  }),
  audience: '*audience*',
  issuer: '*issuer*',
  algorithms: ['RS256'],
  getToken: function fromHeaderOrQuerystring(req) {
    return req.token;
  }
});

(Don’t mind the req.token, I use a middleware called express-bearer-token for that)
To be precise it won’t work if I come back after a few hours. Meaning, checkSession will still work returns the new access_token, userinfo will work too, but my endpoint will respond with a 401, jwt token expired. Yes, I use the new access_token. I’m a bit confused, because if I refresh the page directly after it, the call to my server works with the same access_token it failed moments ago.

As I said, thats only an issue after a few hours, I dont know the exact moment though. Maybe someone knows an answer to this or can point me to the right direction. It’s also hard to test, because in general the flow works totally fine.

Thanks in advance.