We have an administrative portal that allows users to update their user data. After they update their profile we clear the local session and re-authenticate them with Auth0.
Flow looks something like this:
Update Profile → Clear Local Session → Authorize Call to Auth0 → New Session Cookie Issued → Redirect Back to Application
It seems something changed recently that is causing the Auth0 session to be invalid after the user changes their email address. Meaning after we clear their local session and try to re-authorize them with Auth0 they are redirected back to the universal login page. This does not happen when updating any other user fields.
Anyone familiar with this happening or know how to fix it? This is something that just started happening recently.
Thanks
Hi there, I’m not sure if you ever resolved this @noliver? But I have been experiencing a similar issue with my application.
I came across this thread Editing user data (first/last name) in SPA forces re-login on refresh because I was also experiencing an issue that was forcing users to log back in after changing their given_name and family_name. It turns out that because I was including the email address in the payload to the management api (since it is a field within the user details form) then the Success Change Email event was firing in the logs (despite the email address being the same).
Surely enough, removing the email address from the payload resolved this for me, users can update their given name/family name without having to reauthenticate.
However, it still leaves the question around the email address un answered. I can only assume that the change of email address makes the JWT invalid which is why silent authentication fails, but what is the suggested way to deal with this from a user experience perspective? Should we be notifying users that they will have to sign back in after making this change? Or is there a way to bypass this?
I am using the auth0-react package for my project and have noticed that if I call the getAccessTokenWithPopup method after the user has changed their email address then the user can continue as normal, however, getAccessTokenSilently does not work as it fires the “Login is required” error.
It would be great if someone from Auth0 could point me in the direction of some documentation surrounding this. What is the recommended approach for dealing with this case?
Any help would be greatly appreciated. Thanks very much!
2 Likes
Hi, are there any updates on this issue?