I’ve been searching and reading and there is something I’m missing out.
I understand that because of browsers ITP technology simply calling the getAccessTokenSilently() fails. And I see in the logs the following:
Success Login Successful login
Failed Silent Auth Login required
The error makes sense. But how do we see a login immediately afterwards? And in my webpage I don’t get logged out or anything, I simply get a new token even with the error and the “login required”.
After reading and finding out about ITP I implemented refresh tokens which makes the error go away. But my question is, how does it work even without a refresh token despite the error ?
And, a couple of months ago I had a similar question where I was indicated to look into refresh tokens. My goal is to avoid users having to login after a page refresh, which I can do even without the refresh token, because (again) the getAccessTokenSilently() fails in the logs but still gets me a new token. Is there a way to reuse tokens while they are still valid and avoiding the localstorage option? getAccessTokenSilently() gets me a new token everytime with or without refresh tokens.
I am sorry about the delayed response to your inquiry!
As mentioned in the Github documentation for Auth0 React:
If there’s a valid token stored, return it. Otherwise, opens an iframe with the /authorize URL using the parameters provided as arguments. Random and secure state and nonce parameters will be auto-generated. If the response is successful, results will be valid according to their expiration times.
If refresh tokens are used, the token endpoint is called directly with the ‘refresh_token’ grant. If no refresh token is available to make this call, the SDK will only fall back to using an iframe to the ‘/authorize’ URL if the useRefreshTokensFallback setting has been set to true. By default this setting is false.
If you are using something different than React, please let me know!
Otherwise, as mentioned above, the getTokenSilently() function will return a token if the user’s Auth0 session is still valid regardless if refresh tokens are used or not.
The Failed Silent Auth might be thrown by something else in your application. Are you sure that the error is being thrown by getAccessTokenSilently() and not by something else?
Also, does the user get redirected when trying to fetch the token or do they get directly logged in? If that is the case, the application might not detect that the user has a valid session, throws the error, redirects to the /authorize endpoints, they have a valid session and get redirected back with the token.
After some research on my side I can say that the Failed Silent Auth is not being thrown by getAccessTokenSilently(). It looks like it throws after calling loginWithRedirect(), but if I just add useRefreshTokens={true} to the Auth0Provider the Failed Silent Auth is not thrown anymore.
Our flow is something like if isAuthenticated is false then loginWithRedirect() and after that we call the getAccessTokenSilently()
The login counter for the user in the dashboard stays the same so I assume the application detected a valid session, therefore I would expect the getAccessTokenSilently() to return the same token if not expired, or did I misunderstand ?
Indeed, getAccessTokenSilently() should return a valid token if there is one present. Meaning that, in your use case, if isAuthenticated() is false, the user will be redirected to the /authorize endpoint in order to authenticate. If getAccessTokenSilently() is called after that, it should return the same token. If the user is not authenticated and getAccessTokenSilently() is called, they should be redirected to /authorize call and throw the Failed Silent Auth error.