I have authentication with claims working except sessions are not persisting when refreshing the browser. I’m using auth0-spa-js with vanlilla JS (well, Svelte actually), I have cacheLocation: "localstorage"
when calling createAuth0Client
, I see the @@auth0spajs@@ entries in localstorage, yet when refreshing my browser window, it never persists the session.
Could this be an issue with me using token = auth0.getIdTokenClaims.__raw
to get the RAW token to include in my headers instead of using token = auth0.getTokenSilently
which I think is called automatically when refreshing. Retrieving the __raw
token this way works: on the Dgraph end I’m able to get the custom claims injected by an Auth0 rule I created…
If I use auth0.getTokenSilently
, I get an opaque access_token because I’m missing the audience
property. The audience that dgraph recommends to put in dgraph schema is AUTH0-APP-CLIENT-ID (e.g. “FstBEWxxxxxxxxxxxxxxxxxxxxxx_wqp”), yet when I try to add that as the audience
value when calling createAuth0Client
I get the error “Service not found” for that audience value. The ONLY way I don’t get the service not found is if I use audience: "https://my-app.auth0.com/api/v2/"
at which point, it works – auth0.getTokenSilently
returns a real JWT… BUT WITH NO USER INFO NOR MY CLAIMS (I confirm it at jwt.io).
FYI - I’m have google oauth social as an identity provider.
So… What should I do to get sessions persisting?
-
Stick to using
auth0.getIdTokenClaims.__raw
for headers AND try to figure out how to fix the refresh? Any ideas on how to get session working in that case? -
Or should I try to use
auth0.getTokenSilently
to get a JWT by using audience ofhttps://my-app.auth0.com/api/v2/
AND figure out how to get the user info and claims injected by my Auth0 Rule which don’t appear in it? Any ideas on how to get that? And would this address the original issue of session not retaining on browser refresh?
Thank you for any help!