Session not persisting using cacheLocation: localstorage

I have authentication with claims working except sessions are not persisting when refreshing the browser. I’m using auth0-spa-js with vanlilla JS (well, Svelte actually), I have cacheLocation: "localstorage" when calling createAuth0Client, I see the @@auth0spajs@@ entries in localstorage, yet when refreshing my browser window, it never persists the session.

Could this be an issue with me using token = auth0.getIdTokenClaims.__raw to get the RAW token to include in my headers instead of using token = auth0.getTokenSilently which I think is called automatically when refreshing. Retrieving the __raw token this way works: on the Dgraph end I’m able to get the custom claims injected by an Auth0 rule I created…

If I use auth0.getTokenSilently, I get an opaque access_token because I’m missing the audience property. The audience that dgraph recommends to put in dgraph schema is AUTH0-APP-CLIENT-ID (e.g. “FstBEWxxxxxxxxxxxxxxxxxxxxxx_wqp”), yet when I try to add that as the audience value when calling createAuth0Client I get the error “Service not found” for that audience value. The ONLY way I don’t get the service not found is if I use audience: "https://my-app.auth0.com/api/v2/" at which point, it works – auth0.getTokenSilently returns a real JWT… BUT WITH NO USER INFO NOR MY CLAIMS (I confirm it at jwt.io).

FYI - I’m have google oauth social as an identity provider.

So… What should I do to get sessions persisting?

  • Stick to using auth0.getIdTokenClaims.__raw for headers AND try to figure out how to fix the refresh? Any ideas on how to get session working in that case?

  • Or should I try to use auth0.getTokenSilently to get a JWT by using audience of https://my-app.auth0.com/api/v2/ AND figure out how to get the user info and claims injected by my Auth0 Rule which don’t appear in it? Any ideas on how to get that? And would this address the original issue of session not retaining on browser refresh?

Thank you for any help!

Hi @garym,

Welcome back.

Are you using refresh token rotation? That might help solve some of the persistence issues.

As for the opaque token issues, it looks like the audience you are requesting the token for is not registered in your dashboard. The audience param is meant to indicate which API is going to consume the token. It shouldn’t simply be a client id. It needs to be a registered API with an identifier, that is why the management API URI is working for you.

As for the claims being returned…this could be because you aren’t requesting enough scopes. I would try and figure out the audience issue and see if you are still encountering this problem.

Hi Dan,

Thanks for responding. Yes, I have useRefreshTokens to true.

The claims work fine with me getting the __raw token, so unless there’s a problem with doing that, I’ll just keep using that for now.

The main issue is SESSIONS are not persisting. Is there something wrong I’m doing that refreshing the browser doesn’t retain the session? I see the localstate storage… somehow it’s not persisting. Thanks for any help.

Can you DM me a HAR of the login?