`oidc.isAuthenticated()` returns true even though the user does not exist in Auth0

Hi,
I’ve integrated Auth0 on an nodejs/express application (by following this tutorial: Auth0 Node (Express) API SDK Quickstarts: Authorization, based on GitHub - auth0/express-openid-connect: An Express.js middleware to protect OpenID Connect web applications.) and it’s been working fine.

That being said, applicative logs reveals errors on several requests because oidc.isAuthenticated() returns true for users that do not exist in Auth0, according to the userId I’m extracting using request.oidc.user.sub.replace('auth0|', ''); (inspired by express-openid-connect/EXAMPLES.md at master · auth0/express-openid-connect · GitHub). And there is no trace indicating that these users were freshly created, nor recently deleted.

Is it possible that I’ve forgotten to secure something in the way users login?

Hi @adrienjoly,

Could you share the error logs and its error description regarding oidc.isAuthenticated() returning true for users that do not exist in Auth0?

If you prefer, you can send me a DM me the full log event and your tenant name to investigate further.

Let me also point out that the user_id should have the format auth0|123456789 when searching for them on Auth0.

Thanks,
Rueben

Thank you for your reply, Rueben! I sent you a private message.

1 Like

Update, I did find an entry for that user in auth0’s user management dashboard, but not in our database. But that user does not exist on our database, and the only log entries I found about them are these error messages. I found no trace of them signing up nor deleting their account.

Hi @adrienjoly,

I’m glad you were able to find that user in the user management section of the Dashboard.

Let me clarify that logs are only retained for 1 day on the free subscription plan. Therefore, if this user signed up or was deleted more than 24 hours ago, the logs will not show this log event. (Reference: Log Data Retention)

I have checked your tenant further and found that you have only 1 regular database connection. If the user does not exist in your Auth0 database and is maintained separately than the database in Auth0, there can be inconsistencies with the user profile when searching for their profile in your own database. You might want to consider using a custom database if you want to have the users to your own database.

Thanks,
Rueben

1 Like

Hi Rueben,

I found a way to reproduce the issue:

  1. as a visitor on openwhyd.org, click on login
  2. on the auth0 login form, click on signup
  3. enter credentials for new user account
    => you are redirected to openwhyd.org, the login button is still visible (as if you were not logged in), and no user account was created on openwhyd’s db

Why does this happen?

User account creation must go through the /register endpoint, which happens only when user clicked on OUR /signup endpoint, because that endpoint specifies returnTo: /register’`, but this doesn’t happen when the user clicked on auth0’s “sign up” link. (from auth0 “login” page)

=> I wrote and merged a pull request that hopefully fixes this issue.

Thanks again for your help!

1 Like

Hi @adrienjoly,

Thanks for the follow-up and clarification!

Yes, it sounds good that you have merged a pull request that hopefully fixes the issue.

If you continue having issues this with, please let us know.

Cheers,
Rueben